SaaS Cloud computing presentation KPMG - opportunities, implications and practices
-
Upload
mike-c -
Category
Technology
-
view
12.136 -
download
3
description
Transcript of SaaS Cloud computing presentation KPMG - opportunities, implications and practices
ADVISORY
Software-as-a-service
Opportunities, implications and practices
Mike Chung
2Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Contents
ā¢ Introduction
ā¢ Definition of SaaS
ā¢ Opportunities of SaaS
ā¢ Points of consideration
ā¢ Risks of SaaS
ā¢ Overview of main risk areas
ā¢ SaaS life cycle methodology
ā¢ KPMGās reference model for SaaS
ā¢ Conclusion
ā¢ Contact details
3Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Introduction
ā¢ Software-as-a-Service (SaaS) has evolved from limited on-line software delivery of the late 1990s to a fully matured ādirect-sourcingā business model for enterprise application services
ā¢ SaaS is one of the fastest growing ICT service concepts: more than 10 million companies will be using SaaS in the next 5 - 10 years; more than 50% of all Fortune 500 companies are already using SaaS for one or more application services
ā¢ According to influential IT institutes, SaaS is the leading business model of choice for 2008/2009
ā¢ Virtually all big software/service vendors (Microsoft, Oracle, IBM, Cisco) are investing heavily in SaaS while the ātraditionalā SaaS/ASP vendors such as Salesforce.com and Google are expanding their business application services steadily
ā¢ With the continuously increasing bandwidth and reliability of the internet, using web services over the (public) internet has become a viable option for many companies
ā¢ Increasing number of SaaS vendors and SaaS aggregators are offering customized, market-specific solutions
4Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Definition of SaaS
ā¢ Software provided as a service by a software vendor to multiple customers with the following main characteristics:
ā Standardisation of software ā eventually customized for specific customers and markets
ā License based on usage (subscription or āpay-as-you-goā)
ā Service including maintenance, support and upgrades
ā Data storage at the SaaS vendor
ā Web based ā usage over the (public) internet
Software vendor
CustomerCustomer
āOn-premiseā
User
Software vendor
Software services
Software + data
Software licenses & Operational costs
āOn-demandā (SaaS)
User
Software services
āPay-as-you-goā
Software + data
Internet
5Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Opportunities of SaaS 1/3
SaaS offers potential for lowering the Total Cost of Ownership
ā¢ Lower operational ICT costsā No large scale, costly, high risk implementations of applicationsā Fewer operational resources for application managementā No platform and hardware (maintenance) costs for application serversā Reduced operational complexity: software delivered as a transparent service through the web
ā¢ Minimized software development costsā No lengthy software development and testing cycles
ā¢ Lower costs for software use ā No software license and annual maintenance fees ā No expensive software upgradesā Lower application consultancy and support costsā Efficient use of software without paying for unused/unnecessary software and software modulesā Financial benefits by the Economies of Scale of the vendor
6Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Opportunities of SaaS 2/3
SaaS offers potential for corporateās business focus
ā¢ Focus on core business activities and responsibilitiesā Transparent overview and usage of electronic data and informationā Automation of iterative, manual tasksā Faster Time to Market ā easy to scale softwareā More flexibility in changing and modifying application services for business needsā Full-scale integration of business processes
ā¢ Control over ICTā Minimized ICT Service Management efforts mainly focused on availabilityā Well-defined SLAs between the corporation and the ICT vendorā More predictable cash flow ā easier licensing based on access/usage of software
ā¢ Increased productivity and improved user satisfactionā Shorter implementation times for ICT services and changesā Single point of entrance to business applications provided via the webā Automatic software upgrades with minimal outage
7Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Opportunities of SaaS 3/3
SaaS offers potential for utilizing advanced ICT technology
ā¢ Enhanced level of securityā Less locally stored data and very limited locally installed softwareā Monitoring and logging at one (vendorās) locationā Benefits from the high security levels at SaaS vendors with centralised security expertise and experienceā Centralised redundancy and fall-back measuresā Integrated approach of security
ā¢ State-of-the art technologyā Deployment of state-of-the-art technology by SaaS vendors investing for multiple customersā Usage of energy-efficient technologyā Usage of technology that is scalable and flexible
8Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Points of consideration
ā¢ Outsourcing of software services and (business critical) data
ā¢ Depreciation of existing software and software servers
ā¢ Integration/alignment of existing Service Management processes and the processes of the SaaS vendor(s)
ā¢ Single or multi-vendor solutions
ā¢ Standardized or customized services
ā¢ Several pricing models possible
ā¢ Identity & Access Management
ā¢ Direct contact with the software vendor or via SaaS resellers/aggregators
ā¢ The rate of āoutsourcingā
ā¢ Logging and monitoring
9Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Risks of SaaS (1/5)
Data confidentiality/integrity
ā¢ By using SaaS, the business (critical) data is stored at remote location outside the corporateās controlled/owned range. It may well lead to extreme dependency on vendorās integrity and expertise concerning the corporateās valuable and/or confidential data.
Risks:
ā Loss of business data due to inadequate ICT operations by the vendor (redundancy, back-ups, storage)ā Abuse/misuse/theft of business data due to insufficient security measures including Identity & Access
Management ā Abuse/misuse/theft of business data by vendorās personnelā Abuse/misuse/theft of business data by unauthorised external parties such as other SaaS customersā Abuse/misuse/theft of business data by unauthorised internal parties causing breaches in the Segregation of Duties
ā Non-compliance due to poor auditabilityā Non-compliance due to lack of Segregation of Dutiesā Uncontrolled data management caused by inadequate separation of data between different SaaS
customersā Privacy issues due to insufficient assurance to protect confidential and/or personal data
10Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Risks of SaaS (2/5)
Service continuity & availability
ā¢ SaaS relies on the availability and the performance of the (public) internet. Any outage or performance degradation may well lead to loss of business. Moreover, since no one really āownsā the internet, it is exceptionally difficult to appoint responsible/accountable parties.
Risks:
ā Discontinuity/unavailability of services in case there is no connectivity to the (public) internetā Poor performance due to geographic limitationsā Difficulties in planning and forecasting when the performance of the internet fluctuatesā Loss of business data due to poor connectivity or unanticipated activities on the internetā Loss/abuse/misuse/theft of business data caused by poor data protection when traversing unsecured
networksā Non-repudiation issues caused by insufficient authentication and verification mechanisms
11Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Risks of SaaS (3/5)
Service integration
ā¢ Most SaaS vendors and aggregators/integrators offer a limited service catalogue, often focused on one market segment and/or functionality. Integration between SaaS with existing (legacy) services as well as service integration between different SaaS vendors may well lead to loss of functionalities as well as complex and potentially vulnerable IT environment.
Risks:
ā Loss of software functionalities due to constraints in integrating different servicesā Poor performance due to interface limitationsā Complexity of the IT environment due to many and/or customized interfaces and connections
ā Difficulties in executing IT changesā Complex root-cause analysis
ā Security breaches caused by unclear perimeterisation and unclear demarcation of security responsibilities
12Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Risks of SaaS (4/5)
Performance and support
ā¢ SaaS cannot guarantee better performance and support in principle. Operational issues may have been transferred to the vendor, it does not reduce the risk levels. Complexity of the ICT may have been outsourced, it does not take away the complexity itself.
Risks:
ā Poor performance of the serviced software due to constraints and limitations at the vendor (too many customers, insufficient capacity)
ā Less flexibility and longer Time-to-market due to too standardised software or inadequate development and testing processes
ā Difficulties in receiving support due to poor ICT governance at the vendorā Poorly defined SLAs
ā Difficulties in receiving support due to unclear agreementsā Imbalance between the customerās service requirements/expectations and the vendorās service delivery due to
unrealistic expectations and/or inadequate mapping of services and requirements
ā Long-lasting incidents and change requests due to complex root-cause analysisā Complex service management due to multiple SaaS vendors and aggregatorsā Loss of productivity by unannounced software/interface changes (Frankenstein Switch)
13Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Risks of SaaS (5/5)
Legal and contractual
ā¢ Due to the relatively recent nature of the SaaS concept, legal and contractual issues are yet to be elaborated.
Risks:
ā Difficulties in appointing responsible and accountable parties due to poorly defined contracts and agreements
ā Increased ICT costs by choosing the wrong costs/pricing modelsā Complex contract management due to contracts with multiple SaaS vendors and aggregatorsā Difficulties in data restoration when changing vendors due to unclear contractual demands and lack of
control from the customerās perspective
14Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Overview of main risk areas for SaaS
15Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
KPMGās SaaS life cycle methodology (1/4)
Strategy
Scope & Plan
Design & Select
Transition
Deliver
Evolve
Strategic ReviewsNew Contracts NegotiationPerformance Improvement
VisionStrategyFeasibility AssessmentBusiness Case
Current ArchitectureFuture ArchitectureOutline Project PlanRisk AnalysisRefined Business Case
Selection CriteriaRFI / RFPVendor EvaluationSelection and Contract
PilotDetailed Project Plan & ApproachMigration/Implementation
SaaS DeliveryBenefits RealizationMonitoringRisk and Controls Assessment
16Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
KPMGās SaaS life cycle methodology (2/4)
1. Strategy
ā¢ Defining visionā Drivers and objectivesā Outline scope of services to be purchased as SaaS
ā¢ Defining strategyā Principles and standardsā Outline approachā Tranches/plateaus
ā¢ Performing feasibility assessmentā Organisation and processesā Technologyā Legal and contractual subjectsā Outline risk analysis
ā¢ Building the Business Caseā Drivers and objectivesā Alternatives and optionsā Cost and benefits
2. Scope and Plan
ā¢ Assessing current architectureā Business/Enterprise architectureā Technical architecture
ā¢ Building future architectureā Requirements and limitationsā Processes (service design)ā Technology
ā¢ Producing outline project planā Sourcing (HR and finances)ā Governance and project management
ā¢ Performing risk analysisā Project risks including migration/implementation risksā SaaS-related risks
ā¢ Refining the Business Case
17Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
KPMGās SaaS life cycle methodology (3/4)
3. Design and Select
ā¢ Defining selection criteriaā Functional ā Service Managementā Migration/implementation strategy
ā¢ Publishing RFI/RFPā Market research and analysisā Tender strategy
ā¢ Evaluating vendorsā Assessmentā Proof of Conceptā Selectionā Due diligence
ā¢ Signing contract(s)ā SLAs including KPIsā OLAsā Legal agreements
4. Transition
ā¢ Setting up pilotā Pilot migrationā Functional/technical implementationā Service managementā Risk mitigationā Evaluation
ā¢ Producing detailed, updated transition project plan and approach
ā¢ Executing migrationā Dataā Service (functional/technical)ā Service (governance/processes)
18Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
KPMGās SaaS life cycle methodology (4/4)
5. Deliver
ā¢ Delivering SaaSā Functional/technical ā Governance/processes
ā¢ Realizing benefitsā Financialā Business-wiseā Service oriented ā Technological
ā¢ Monitoring
ā¢ Performing risk and controls assessmentā Security ā Service and performanceā Complianceā Legal and contractual
6. Evolve
ā¢ Performing strategic reviewsā Functional/technicalā Financialā Service deliveryā Risk assessmentā Pre/post SaaS impactā Benchmarking
ā¢ Negotiating new contracts
ā¢ Processing performance improvementā Remediationā Restructuringā Optimization
19Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
KPMGās reference model for SaaS
Identity and Access M
anagement
Inte
gral
Sec
urity
M
anag
emen
t
FederationFederation
Federation
20Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Conclusion
ā¢As with opportunity comes danger, SaaS offers huge possibilities and poses serious risks
ā¢While the software and operational activities can be transferred to the SaaS vendor, SaaS will not reduce the risk levels in principal
ā¢To benefit optimally from SaaS, it is essential to take mitigating measures prior to implementation
ā¢Structured approach and ābest practicesā are key success factors
21Ā© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van
zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coƶperatie. Alle rechten voorbehouden. 145_0908
Contact details
Mike Chung
Manager+31 (0)6 1455 [email protected]
Office address:KPMG IT Advisory, Burg. Rijnderslaan 201185 MC Amstelveen, The Netherlands